When building a cryptographic device one must worry not only about choosing sound cryptographic primitives, but also about the prevention of side-channels. Through a side-channel an attacker obtains information about a cryptographic computation that goes beyond the normal input-output behavior. A side-channel attack is an attack based on information gained from the physical implementation of a cryptosystem rather than only on analysis of the cryptographic algorithm and/or brute force.
A particular strong side-channel is the so-called white-box attack model. In the white-box attack model, an attacker has full access to the internals of an algorithm during its execution. In particular, the attacker can observer variables and may even modify the data during execution. Protecting secret information such as secret keys is particularly hard in the white-box model.
In the paper “DES and the Differential Power Analysis, The “Duplication” method”, by Goubin and Patarin a suggestion is given on how to prevent some side-channel attacks. In this paper a variable v is represented by k variables v1, . . . , vk such that v=Σvi. The side-channel considered in this paper is the electric consumption of the microcontroller.
The inventors have found that this solution is not adequate in the white-box model, and can be broken. It is therefore a problem to improve resistance of implementations of cryptographic functions under the white-box attack model.